Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT. Which Security policy rule will allow traffic to flow to the web server?
A.
Untrust (any) to DMZ (10.1.1.100), web browsing - Allow
B.
Untrust (any) to Untrust (1.1.1.100), web browsing - Allow
C.
Untrust (any) to Untrust (10.1.1.100), web browsing - Allow
D.
Untrust (any) to DMZ (1.1.1.100), web browsing - Allow
The given answer D is correct - my previous answers are wrong. There's 2 policies at play here - the security and NAT policy. I thought the question related to the NAT policy - it doesn't - it asks about the security policy.
The correct answer is:
A. Untrust (any) to DMZ (10.1.1.100), web browsing - Allow
Explanation:
1. Destination NAT (DNAT) is configured to map 1.1.1.100 (public IP) to 10.1.1.100 (private IP of the web server in DMZ).
2. When external users from the Untrust zone (e.g., 1.1.1.250) try to access the web server using 1.1.1.100, the firewall translates this destination to 10.1.1.100.
3. Security policies always evaluate traffic after NAT has been applied. So, the destination in the security policy should match 10.1.1.100.
4. The correct security policy should allow traffic from Untrust (any) to DMZ (10.1.1.100).
When configuring security policies for Destination NAT (DNAT) on a Palo Alto firewall:
- The pre-NAT IP is used in NAT rules.
- The post-NAT IP is used in security policies.
I believe the answer here is B, as the NAT is done on the untrusted side therefore the security policy has to untrusted (any) to untrusted (DNAT), within the NAT configuration the real address would be mapped and so would the DMZ zone.
Answer is D
"It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones".
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview#:~:text=It%20then%20evaluates%20and%20applies%20any%20security%20policies%20that%20match%20the%20packet%20based%20on%20the%20original%20(pre%2DNAT)%20source%20and%20destination%20addresses%2C%20but%20the%20post%2DNAT%20zones
As @Surfside92 mentioned, according to CBT Nuggets video (watched the same) answer should be B.
However, @ntir shared the link which shows literally this situation. I would go with D because it's from PA site.
D
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping#ide8f6a4b3-f875-4855-acb5-5fd9ad918d04
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Surfside92
Highly Voted 2 years, 4 months agomirko1976
Most Recent 1 week, 5 days agode7cdfd
3 months agoJallic
4 months, 3 weeks agoRuss_A7x
11 months, 3 weeks agoKvant
1 year, 6 months agoGrace_Shu
1 year, 8 months agoAaron_0801
1 year, 9 months agonolox
1 year, 10 months agontir
2 years agoBeforeScope
2 years, 1 month agoOteslar
2 years, 2 months agoPunkSp
2 years, 2 months agoSurfside92
2 years, 4 months agoSurfside92
2 years, 4 months ago